Skip to end of banner
Go to start of banner

LM Recertification: Revocations per LM (Indicator - IAM)

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Process

Line Manager Recertifications (Process - IAM)

Indicator

LM Recertification: Revocations per LM

Version

1.0 READY FOR PEER REVIEW

Formula

Given that:

  • is the set of all line managers in the organization

  • is the subset of line managers that have not completed their recertification

  • is the subset of line managers that have completed their recertification and revoked 0 access rights

  • is the subset of line managers that have completed their recertification and revoked between 1 and access rights inclusive

  • is the subset of line managers that have completed their recertification and revoked more than access rights

  • are exclusive subsets

  • is the set cardinality function

The indicator is composed of the following series:

No Recert

Recert 0

Recert Low

Recert High

Benchmarking

This indicator is adequate for benchmarking given comparable scopes.

Rationale

The objective of this indicator is to measure the effectiveness of the LM Recertification process.

No Recert shows the ratio of line managers who failed to complete their recertification duty. This must be maintained as low as possible.

Recert 0 shows the ratio of line managers who completed their recertification duty but revoked 0 access rights. Two distinct causes may explain this result: 1) access rights were optimal and did not require any change or 2) the line manager ticked the boxes without due care. Further inquiry may be required to distinguish between the two.

Recert Low shows the ratio of line managers who completed their recertification duty and revoked a few access rights. This is what is normally expected.

Recert High shows the ratio of line managers who completed their recertification duty and revoked an important number of access rights. A one time high may be caused by changes in the organization. But if the situation persists, this may reflect an inadequate setup where line managers must continuously adapt access rights. RBAC may not be implemented or not properly implemented.

Stakeholders

  • IAM Manager

  • CISO

  • IT Risk Managers

Scopes

This indicator may be specialized for different scopes. See Revocation Automation (Process - IAM) for typical scopes.

Negative Effects

  • In certain circumstances, the economical benefits of automation may be unjustifiable (e.g.: when processing low volumes of IAM artifacts on non-sensitive IT systems). Pursuing this indicator blindly could lead to economical waste.

  • Poorly implemented automation may lead to new risks, e.g. silent automation errors leading to a false sense of security, automation mechanisms that are vulnerable to compromission or lead to denial of service.

Data Sources

  • IT System inventory

  • CMDB

  • IAM software platform

Typical Frequency

Monthly

See Also

Sample Visual Representation

If the number of automated systems is out of proportion with the number of unautomated systems, we recommend to use a broken Y axis and not use a logarithmic scale that would be misleading.

  • No labels

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.